Home » Archives for October 2011

Month: October 2011

ChiliProject 2.4.0 Released

ChiliProject 2.4.0 has just been released. It includes some bugfixes for ChiliProject 2.3.0 as well as one security fix. It is suitable for use on production websites and we recommend that all users download the release as soon as possible.

Users of the old 1.x release branch, please check the 1.5.4 release which includes the security fix.

Download ChiliProject 2.4.0

What’s included

2.4.0 includes 3 new features and 8 bug fixes for 2.3.0. The major highlights of this release are:

  • The bundled Textile library which is used to transform the markup used in issues and wiki pages contained a bug which prevented it from properly escaping certain characters URLs for image tags. This allowed for a persistent cross-site-scripting vector (XSS). The fix for this bug prevents its exploitation for newly entered content as well as for already present text.
  • We tremendously improved our Ruby 1.9 compatibility. While our test suite completely passes for 1.9 we had several reports of encoding issues in the past. With this release we are very confident that these issues should be fixed by now – to the extend possible by the current Rails and Rack implementations. However we still recommend Ruby 1.8.7 or Ruby Enterprise Edition as the most widely deployed ruby variants for ChiliProject.
  • Users running MySQL and Ruby 1.9 should be aware that the mysql database adapter seems not to play nice with Ruby 1.9. We strongly recommend to use mysql2 with Ruby 1.9.
  • Users using the rmagick group to export the Gantt chart as a PNG mentioned that Ruby 1.9 requires rmagick 2.0.0 or newer. Thus we adapted our Gemfile to allow newer versions to be installed. In future versions of ChiliProject we will require rmagick 2 which currently requires rather new distributions. We will announce the deprecation time frame once it has been decided.
  • The project identifier can now automatically be created based on the project name saving project managers some keystrokes.

All users of ChiliProject are strongly advised to update their installations as soon as possible as the resolved security issue allows users able to add or edit content to inject persistent Javascript code into pages.

Users of Redmine should be advised that the fixed issue is also present there. There is currently no Redmine release that fixes the it. Currently it is only addressed in the trunk and 1.2-stable branch in the repository. You should either upgrade or apply the fix in the issue manually.

The full list of changes are below:

  • Bug #277: News list is missing Avatars
  • Bug #458: rmagick specified in the Gemfile doesn’t build in Ubuntu 11.04
  • Bug #591: ArgumentError (invalid byte sequence in US-ASCII)
  • Bug #640: internal error on journals for deleted custom fields
  • Bug #647: XSS: User input for images is not properly sanitized
  • Bug #652: wrong redirect after login when url contains umlaute
  • Bug #667: Label all input field and control tags
  • Bug #668: Duplicate “Modules” section on Copy Project
  • Feature #221: Use the git sha for the revision
  • Feature #240: Link to global news on projects list
  • Feature #615: Generate project identifier automatically with JavaScript

Contributors to 2.4.0

  • Eric Davis
  • Felix Schäfer
  • Greg Mefford
  • Holger Just
  • Jan Schulz-Hofen
  • Pieter Nicolai
  • Romano Licker
  • Toshi MARUYAMA
  • Etienne Massip
  • Karel Picman
  • Mischa The Evil

We would like to especially thank Mischa The Evil who informed us of the security issue. If you think you have found a security issue in ChiliProject please report it to the security team privately so we can follow responsible disclosure.

In closing, go and download ChiliProject 2.4.0 now.

ChiliProject 1.5.4 released

ChiliProject 1.5.4 has just been released. This release is a security release to fix a Cross-Site-Scripting bug (XSS) that was discovered in ChiliProject 1.5.3. It contains no other bug fixes or new features and is released for users who are unable to upgrade to ChiliProject 2.4.0. It is suitable for use on production websites running ChiliProject 1.x and we highly recommend that 1.x users download the release.

Download ChiliProject 1.5.4

What’s included

1.5.4 includes a security fix that was back ported from ChiliProject 2.4.0.

  • Bug #647: XSS: User input for images is not properly sanitized

All users of ChiliProject are strongly advised to update their installations as soon as possible as the resolved issue allows users able to add or edit content to inject persistent Javascript code into pages.

Users of Redmine should be advised that the fixed issue is also present there. There is currently no Redmine release that fixes the it. Currently it is only addressed in the trunk and 1.2-stable branch in the repository. You should either upgrade or apply the fix in the issue manually.

Contributors to 1.5.4

I’d like to thank all of the contributors to the 1.5.4 release.

  • Etienne Massip
  • Holger Just
  • Karel Picman
  • Mischa The Evil

We would like to especially thank Mischa The Evil who informed us of the security issue.

If you think you have found a security issue in ChiliProject please report it to the security team privately so we can follow responsible disclosure.

What’s Next?

The 1.x versions of ChiliProject are officially in maintenance mode and will only be getting security updates until the release of 3.0 in early January. After that date the 1.x branch is no longer supported in any way. We recommend upgrading to the current stable version of ChiliProject in order to get general bug fixes and features, currently ChiliProject 2.4.0.

ChiliProject 1.5.3 released

ChiliProject 1.5.3 has just been released. This release is a security release to fix numerous major security bugs that were discovered in ChiliProject 1.5.2. It contains no other bug fixes or new features and is released for users who are unable to upgrade to ChiliProject 2.3.0. It is suitable for use on production websites running ChiliProject 1.x and we highly recommend that 1.x users download the release.

Download ChiliProject 1.5.3

What’s included

1.5.3 includes 1 minor security fix that was back ported from ChiliProject 2.3.0.

  • Bug #619: Redmine.pm allows anonymous read access to repositories even if Anonymous role prohibits it

Unless you use the Repository integration, you do not need to update your installation as the fix of Redmine.pm is the only update included in this release.

Contributors to 1.5.3

I’d like to thank all of the contributors to the 1.5.3 release.

  • Holger Just
  • Jan Schulz-Hofen

If you think you have found a security bug in ChiliProject please report it to the security team privately so we can follow responsible disclosure.

What’s Next?

The 1.x versions of ChiliProject are officially in maintenance mode and will only be getting security updates from now on. We recommend upgrading to the current stable version of ChiliProject in order to get general bug fixes and features, currently ChiliProject 2.3.0.

ChiliProject 2.3.0 released

ChiliProject 2.3.0 has just been released. It includes some bugfixes for ChiliProject 2.2.0 as well as one security fix. It is suitable for use on production websites and we recommend that all users download the release as soon as possible.

Users of the old 1.x release branch, please check the 1.5.3 release which includes the security fix.

Download ChiliProject 2.3.0

What’s included

2.3.0 includes 3 new feature and 4 bug fixes for 2.2.0. The major highlights of this release are:

  • Our Gemfile is more compatible to Windows deployments.
  • The bundled Redmine.pm adapter for connection Subversion repositories to ChiliProjects Authentication and Authorization model now checks that the anonymous user has the actual browser_repository right on public projects. This should only affect very few people. It exposed repositories of public projects where the anonymous user has not given the browse_repository right read-access. Non-public projects were not affected and their content was not exposed.

The full list of changes are below:

  • Bug #594: Wiki Diff somehow off
  • Bug #617: Gemfile: Missing database related platform block for Windows + RubyInstaller
  • Bug #619: Redmine.pm allows anonymous read access to repositories even if Anonymous role prohibits it
  • Bug #633: Update from 1.x to 2.x impossible under rare but valid circumstances
  • Feature #355: Turn on/off the if the start date will autofill by default
  • Feature #566: The “Watcher” filter should show all users.
  • Feature #644: Add Check/Uncheck all links to project form

Contributors to 2.3.0

  • Felix Schäfer
  • Gregor Schmidt
  • Holger Just
  • Igor Zubkov
  • Jan Schulz-Hofen
  • Nick Peelman

A special thanks goes out to Jan Schulz-Hofen for finding and responsibly disclosing the Redmine.pm issue.

In closing, go and download ChiliProject 2.3.0 now.